Ever read one of these addressed to you? If not, congratulations. But based on statistics, headlines, and personal experience, I’m going to guess you have (or you’re really bad at getting to your snail mail.) My most recent came from a financial institution that handles a retirement account for me. I first heard about the breach from the usual online sources long before receiving a letter. This news was accompanied by a disproportionate increase in stomach acid, a search for more information, a check on my account status, and then eventually a return to what I was doing. En masse people have credit cards canceled, accounts drained, identities stolen, yet somehow less than an hour after being alerted to a potential risk to what I’ve put away for my retirement, I’m back to working on someone else’s security architecture. How exactly did we, as individuals, end up in a position where we’ve basically learned to ignore over a half billion breaches of our data?[i]

Let me qualify what I mean by “our data.” I mean large cross sections of individual and consumer data. Personally I’ve received a relatively small number of these notification letters over the years, I’ve only caught one fraudulent credit card charge, and any shortfalls in my retirement planning are still “unforced errors.” But in following the never ending flow of new breaches affecting millions, apparently I’m also nearing the point of shrugging my way back to our regularly scheduled programming. It can be called “breach fatigue” and I’m trying to put my finger on exactly how with headlines like this: “CYBERATTACKS NOW COST OVER $1.5 TRILLION A YEAR”, it’s a very real thing (even for someone who works in security.)

Here’s a cursory list of what I figure to be the most important (I’m sure there are more ways to slice and dice this issue) variables at work underneath breach fatigue:

Actual cost

Comprehension

Market alternatives

Ability to affect level of risk

Emotional/intangible impact

Actual Cost – There is a delta here that probably helps explain a large chunk of the breach fatigue phenomenon. That is, the actual cost to you will be wildly different if you are merely an included individual in a large breach, than if your data is actually leveraged to commit fraud or other malfeasance. If there’s an “upside” to a large breach (spoiler alert: there’s not) it’s that in a huge compromise a very small percentage (not number) of included individuals will likely see a high actual cost, assuming the breach isn’t mishandled. For those whose data is leveraged the cost, even beyond actual dollars in terms of time and productivity, is often crippling. The very real “downside” is that large scale and repeated notifications to those whose data isn’t actually leveraged begin to interpret each successive notification as a “zero actual cost” event as opposed to a dire warning about how their bank, retailer, service, etc. almost completely jacked up their financial and reputational future . This stream of notifications should reflect increasing risk to our sensitive data, instead it is taken by many as increased frequency of “zero actual cost” breaches. It’s a completely inverse read on the actual risk being presented and a recipe for breach fatigue.

Comprehension – Enterprise security can be pretty dense subject matter. It’s not clear that, even with sufficient after-action reports and technical details (both rarities), that an average person will read about a breach and conclude better risk mitigation steps were available and should have been taken. I recall a number of reports from major institutions that lead me to say things like, “How have they been passing their PCI assessments all this time??”, “Aren’t these guys HIPAA/HITECH regulated??”, “Isn’t that a ‘Security 101’ mistake??” etc. While this raises major red flags in my mind about doing business with an organization, I realize these are not the questions or the concerns of the average customer. Little public concern follows even major security gaffes and there is seldom substantive change beyond a couple terminations, resignations, and general lip service. It’s difficult to make informed decisions about a breach when you’re not getting much detail to begin with and IT jargon reads like a David Lynch dream scene to you.

Market Alternatives – Let’s build off of the notion of a comprehension factor and address two scenarios:

You are completely oblivious to all things IT and a thorough reading of your compromised bank’s breach report could trigger an infringement action by the holder of the Ambien patent. All you want to know is if they have your money and it’s safe to keep it with them.

You’re the sort of geek who reads blogs on technology, security, and related policy in your free time and you’re not happy with what you just read from your business partner.

If you’re the person in the first scenario and the notion of a breach at your bank of choice upsets you, will switching banks help? How would you know? As the headlines detail other, also trusted and reputable, banks being compromised how does the average person interpret their market alternatives for a “secure banking (or retailer, service provider, etc.) option?” If the biggest and most trusted names in a sector are making the headlines, how does the average person discern the merits of their security offerings? Again, the avalanche of breach news adds more noise to the signal.

If you’re in the security savvy set, you may determine that a particular vendor has been playing fast and loose with your data. You’re really disappointed and it’s time for you to part ways. How can you ensure that your next vendor is any better? Of course, there are offerings for banks, retailers, social media, etc. that allow for enhanced security measures. Things like multifactor, out of band, and hardened authentication may speak to an organization’s commitment to security, but it’s hardly a “complete picture.” The details of enterprise security plans and safeguards are not something companies are hot to share or publish. Assuming you can find an organization that hasn’t fallen prey to a similar compromise, can you really get enough information to make a determination that Company Two will be an improvement on Company One’s security practices? How do you assure that it isn’t just a matter of time before your replacement vendor joins your original vendor on datalossdb.org?

Whenever I get wind that I might be in the affected class of a breach, my first inclination is to do something. I’ve called out “market alternatives” as a variable because often I find, even after thorough research, little to no evidence that a change of vendor or provider will definitively enhance the security of my information going forward.

Ability to Affect Level of Risk – Again, finding I’m included in a breach makes me want to act to protect myself and I just addressed what limited options we have for market alternatives. Like many failing relationships, you may find yourself wondering “What if the problem is me?” It’s probably a logical stretch to think that your inclusion in an eight or nine figure table of compromised records is somehow based on your individual behavior, but it’s logical to wonder “Could I have done something to prevent this?” There are some compromises close to the end user (ATM Skimmers, account hijacks, etc.) where hardened authentication methods and enhanced paranoia might decrease your odds of being leveraged. When it comes to large scale breaches, however, the enterprise nature of the compromise really takes compromised subjects’ behavior out of the equation. As with “Market Alternatives” there’s nothing substantive I can do, in this case with my own behavior, to proactively or reactively change the level of risk I face.

Emotional and “Intangible” Impact – I work largely with public sector clients. In general, public vs. private sector security discussions raise a fair amount of “apples to oranges” objections. Over a year later, however, my clients still haven’t unclenched their teeth over the Target breach. In a field largely apathetic to private sector, bottom line focused, PCI regulated concerns, why Target? Why does that particular breach register on radar when I can probably count on one hand the number of clients who have even mentioned larger breaches like Sony PSN, Heartland, or J.P. Morgan/Chase? I believe it goes to impact affecting them as individuals as opposed to their role as a public sector CIO, CISO or Security Architect.

Like every other factor mentioned “emotional and intangible impact” is hard to quantify and measure, but it’s more easily absorbed and internalized. The notions of canceled credit cards during the holiday shopping season, sitting on hold with an issuing bank as 70,000,000 cards are replaced in parallel, and what about those Target gift cards I just gave out? Pile all that disorder on to the manic anxiety of holiday shopping season and apparently it hits harder than a notice about a threat to your retirement account or a “DECLINE” code when you go to purchase that DQ Blizzard (maybe I’m showing my bias for small cash transactions here, but who was using a credit card at Dairy Queen in the first place??) While the variable may be somewhat “intangible” in nature, I believe Target shows us that this is the element that people most understand and react to. The intangible aspect is the only part of the equation solely derived from the effected individuals. It also shows us, when compared to other breaches, that emotional impact may not have a strictly linear relationship to things like actual cost or the total number of records breached. My informal observation is that, even without actual cost, individuals can still be affected by the emotional impact of a breach more than a year after the fact.

Looking back, the average person may find breach information is hard to comprehend, has a low signal to noise ratio, and doesn’t present them with many alternate courses of action. That’s not to say that breach fatigue equals breach apathy. It seems Americans worry more about online security than everything except walking alone at night. Could it just be that the amount and format of breach information leaves the average breach victim largely in the dark? How else can you ignore more than a half billion breaches?

[i] That’s total number of records breached as taken from the Identity Theft Resource Center’s statistics. I realize that’s not 673,293,959 individual actions resulting in breaches, but it is 673M records breached. However you slice it, it’s a LOT to ignore.